infrastructure. It’s important to tighten control over credentials that, if stolen, give attackers unfettered access to the organization’s assets.

For Windows shops, the administrator account — both the local admin and the domain or forest admin — is a main target. Microsoft’s Securing Privileged Access program helps IT teams analyze and review ways to protect administrator accounts and privileges.

Phase-in administrator account protection

The Securing Privileged Access program mitigates attacks that involve credential theft and abuse, the domain controller host and Active Directory deployment. The plan minimizes the number of administrator accounts and limits the times those accounts are needed. The strategy takes over six months to complete and consists of three phases:

First phase: This phase lasts two to four weeks and focuses on mitigating the easy attack vectors that take little effort and process change to turn off or fix.

Second phase: This phase takes one to three months and builds on the progress made in the first phase. Administrative privileges can shift from permanent to time-bound, lowering the exposure time of privileges and increasing visibility into how privileges are used. Administrative controls change how privileges are redeemed and carried out.

Third phase: This phase can take six months to a year and transitions the security strategy from reactive to proactive. Admins need to make systemic changes, which include software updates, to have the best possible security posture.

Follow this program at your own pace. As administrators complete each step, the quality and integrity of the defenses improve.

Follow this program at your own pace. As administrators complete each step, the quality and integrity of the defenses improve. Even if the organization does not finish the program, making just a few modifications will improve infrastructure security. The IT staff can resume the remainder of the phases at another time.

The Securing Privileged Access roadmap

Because of the complex nature of today’s data centers, which run on multiple operating systems and several identity repositories, Securing Privileged Access provides a roadmap and prescriptive strategy to manage administrative privileges. The third phase is the most complicated; it recommends the most changes to established processes for administrative tasks and requires that an organization run more recent — or current — versions of Windows Server.

Here is a more detailed outline of each phase of Securing Privileged Access:

Phase one directives: Mitigate the most frequent attack vectors. Make a separate administrative account just for administrative tasks and set up dedicated privileged access workstations for Active Directory administrators. Implement Local Administrator Password Solutions to generate unique local admin passwords for workstations and servers.

Phase two directives: Add visibility into administrative activity and build a wall against common follow-up attacks that target administrator accounts. Expand the privileged access workstation concept from Active Directory administrators only to all enterprise admins. Turn off additional features, such as Credential Guard and RDP Restricted Administrator groups, to harden these workstations. Use time-bound privileges so there is no permanent administrator, turn on multifactor authentication to elevate ordinary accounts to privileged levels and enable Just Enough Administration to manage domain controllers. Lower the attack surface on domain controllers and security boundaries overall, and develop methods to detect real-time attacks.

Phase three directives: Move into role-based administration and implement models to delegate privilege. All administrators will use smartcard or Microsoft Passport authentication.

Create a separate forest for Active Directory administrators to provide a second security boundary that protect accounts with the highest privilege. Organizations on Windows Server 2016 can enable code-integrity policies for another layer of malware protection on domain controllers. Those organizations also can move virtualized workloads to shielded VMs on the Windows Server 2016 Hyper-V fabric. If a VM is copied, the encryption will prevent data loss.

Microsoft provides this roadmap and the prescriptive guidance for free. While the Securing Privileged Access program exists in several different locations on the Microsoft site, the overarching plan can be found here with links to each phase.

Next Steps

Reinforce Windows Server security with these tactics

Just Enough Administration limits privileged access

Microsoft Identity Manager 2016 helps monitor, administer credentials

Dig Deeper on Windows Server Monitoring and Administration

Jonathan Hassell asks:

How do you prevent the wrong people from getting a hold of Windows Server administrator privileges?